Friday, September 08, 2006

It's not MS06-042...it's a new and improved MS06-014

In the cold hard light of day, it turns out that the new exploit that we found last night is not MS06-042. Instead, it seems it's an improved MS06-014 (MDAC) exploit.

Here is what we know, after spending much of the day looking at it.

(1) It definitely infects April and June patched machines. It doesn't infect an August patch.

(2) MS06-014 (MDAC) would only infect up to and including March, so this is at least two months better.

(3) Nothing in the August patch set actually matches this, although on the surface, one part of MS06-042 looks close, so it seems that something might have been silently fixed in August (or perhaps July... .we're still checking that out).

(4) The differences between the two attack scripts are minor, but very instructive. One gets the impression that there are many minor improvements that might be made and tried. We can be sure that the Bad Guys are looking at it right now and thinking. We can expect many tweaks to this.

(5) A great question would be to ask how a small tweak to the MDAC attack script allowed it to get past two months of patches.